Ask Your Question

"SSL decode as" for more protocols

asked 2018-11-07 12:49:47 +0000

19mario91 gravatar image


I have two protocols (IEC 60870-5-104 Port: 19998 and IEC61850 (TPKT,MMS) Port: 3782) that are sent with a TLS encryption. Decrypting these data works perfectly fine, but unfortunately it is not possible to call the dissectors for these protocols when I make a right click -> Decode as with the "SSL TCP Dissector" since there are just some protocols I can use.

Is there some possibility to add additional protocols to this list?

Best regards, Mario

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2018-11-08 01:56:30 +0000

Guy Harris gravatar image

Yes, but currently that has to be done by changing the source code of the dissectors for those protocols to register them as running atop TLS.

Are the port numbers standard port numbers for those protocols when they run atop TLS, or are they just the port numbers that happened to be used in those particular captures or that your organization happens to use?

edit flag offensive delete link more


19998 is the IANA registered port for iec-104-sec (IEC 60870-5-104 Secure).

I'm not aware of any specific IANA port for IEC61850 MMS, IEC62351 is the document series that handles security in energy management systems and IEC62351-3 is the standard for TLS over TCP/IP and IEC62351-4 is the specific profile for MMS, but these are behind the IEC paywall. I believe IEC 62351 at some point says to use port 3782 instead of the standard port 102 for TLS connections.

3782 is the IANA registered port for iso-tp0s (Secure ISO TP0), so seems to be a reasonable "standard".

grahamb gravatar imagegrahamb ( 2018-11-08 11:39:05 +0000 )edit

Yes exactly, those are the standards from which we use the port numbers. Is it possible to implement this enhancement in wireshark? Would be very helpful :)

19mario91 gravatar image19mario91 ( 2018-11-08 11:53:31 +0000 )edit

answered 2018-11-10 02:04:31 +0000

Guy Harris gravatar image

Implementing "port 19998 is IEC 60870-5-104-Apci over TLS" and "port 3782 is TPKT-over-TLS" is relatively straightforward; if you could file an enhancement request on the Wireshark Bugzill, with sample captures attached, if possible, for development, testing, and regression testing purposes, that would be helpful.

That would obviate the need for "Decode as...".

Implementing "Decode as..." for "Decode as XXX-over-TLS" with a single GUI operation is a bit more work; it might now be possible to first say "Decode that port as TLS" and, once the capture is redissected with traffic to and from that port dissected as TLS, say "Decode that port, for TLS, as XXX", but being able to do the "over TLS" along with "XXX" would probably be an improvement.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-11-07 12:49:47 +0000

Seen: 728 times

Last updated: Nov 10 '18